The Personal Data Protection Bill, 2019 (the Bill) was tabled before the lower house of the Parliament on 11.12.2019...India as a country is home to 1/7th of the world's population. Furthermore, India has a young demographic which has access to two important tools – (i) smartphones and (ii) attractive data tariffs. The unique combination of these factors makes India the world's most...
The Personal Data Protection Bill, 2019 (the Bill) was tabled before the lower house of the Parliament on 11.12.2019...
India as a country is home to 1/7th of the world's population. Furthermore, India has a young demographic which has access to two important tools – (i) smartphones and (ii) attractive data tariffs. The unique combination of these factors makes India the world's most attractive destination for digital platforms. These digital platforms are uniquely poised to bring together buyers and sellers for various goods and services by providing a seamless user experience, by leveraging one key resource: DATA.
Conversations revolving around use of personal data as a key resource for an organization has increased in recent times due to the following factors: the explosion of social media applications and website, the success of digital e-commerce platforms, and the recognition of privacy as a fundamental right available to every person under the Constitution of India. Furthermore, after realizing the success that digital businesses have had by leveraging data, traditional business have also recognized the importance of data and have made data a central focus of their business strategies.
This resulted in growing discussions demanding the installation of a robust data protection framework to ensure that personal data of individuals is collected for legitimate purposes by businesses. The framework shall also enable the Government to exercise regulatory control over businesses which seek to use personal data as a resource. Further, businesses also require legislative certainty to understand their compliance requirements towards issues like handling personal data, cross-border transfer of data, data localization etc. In the afore-stated background, the Personal Data Protection Bill, 2019 (the Bill) was tabled before the lower house of the
Parliament on 11.12.2019.
The Bill in its present form seeks to create a legislative framework providing
the rights and duties of individuals and entities processing the personal data of individuals. Terms like 'data' and 'personal data' have been broadly defined under the Bill. The term 'data' includes a representation of information, facts, concepts, opinion or instruction in a manner suitable for communication, interpretation or processing by humans or automated means. 'Personal data' is defined as data about or relating to a natural person who is directly or indirectly identifiable, whether online or offline, or any combination of features with other information which shall include any inference drawn for the purpose of profiling. Under the Bill, individuals whose personal data is sought to be protected are referred as 'data principals'. Entities which take decisional control with regard to processing of personal data are referred to as 'Data Fiduciaries'. 'Processing' under the Bill has been defined in an inclusive manner and has reference to all kinds of activities which may be performed on personal data like collection, storage, transfer etc. Furthermore, the Bill also seeks to regulate 'data processors' which are entities which may perform specific roles in relation to personal data at the behest of the data fiduciary. The activities of the state with relation to personal data are sought to be covered as it is also designated as a 'data fiduciary'.
The Bill, like GDPR in EU, seeks to regulate the collection of personal data of all individuals within the territory of India. The obligations arise when personal data is processed by data fiduciaries and processors, both online and offline, having nexus with the territory of India. A close reading of the Bill reveals that entities situated outside India shall also have to comply with the regulations under the Bill if the processing of personal data is in relation with businesses offering goods and services to data principals in India, or involves profiling of data principals who belong to India.
Obligations of Data Fiduciaries
The topics which invite most discussion in relation to the Bill are the obligations of the data fiduciaries. The aim of the Bill is to ensure that any processing of personal data is for a specific, clear and lawful purposes after providing due notice to the data principal and on obtaining their consent. Processing data with explicit consent remains one of core features of the Bill, and provides one of many other controls which the data principals may exercise while exercising their right to privacy. Additionally, all data fiduciaries must undertake certain transparency and accountability measures such as: (i) implementing security safeguards (such as data encryption and
preventing misuse of data), and (ii) instituting grievance redressal mechanisms to address complaints of individuals. They must also institute mechanisms for age verification and parental consent when processing sensitive personal data of children. Furthermore, the Bill seeks to treat sensitive personal data and critical personal data of an individual with enhanced safeguards by placing limitations on the mode of seeking consent, transferring data cross-border for processing and applying data localization requirements.
Rights of a Data Principal
To operationalize a person's right to privacy, the Bill provides data principals the right to:
(i) seek access and confirmation, i.e., to obtain confirmation from the fiduciary on whether their personal data has been processed for the purpose for which consent was provided,
(ii) seek correction of inaccurate, incomplete, or out-of-date personal data, and erasure of data once the processing activity is complete,
(iii) right to data portability wherein a data principal can seek his personal data from a data fiduciary in a
structured and machine-readable format to ensure interoperability, e.g. facilitating switching between different telecom service providers, and
(iv) the right to be forgotten which restricts continuing disclosure of a data principal's personal data by a fiduciary, if it is no longer necessary or consent is withdrawn.
Departures and Key Takeaways
It is most important to note that the Bill introduces novel concepts like 'Significant Data Fiduciaries' and 'Social Media Intermediaries' to specifically cover businesses dealing with significant amounts of personal data.
Further, while it is evident that the inspiration for the current Bill is the EU GDPR, it has to be noted that there are several areas wherein significant departures have been made. Few examples would include the definition
of processing to include profiling, government's right to seek anonymized personal & non-personal data, and storage limitation requirements. The afore-stated departures generally are a matter of concern as on many occasions, decisional discretion is vested with the Data Protection Authority (the proposed regulatory arm of the government which shall execute the obligations under the Bill) and the central government reducing visibility for data
fiduciaries.
Thus, the key takeaways for businesses are as follows:
• Larger businesses which may foreseeably be categorized as 'Significant Data Fiduciaries' (both online and offline) should work towards an early bird adoption framework for the compliance requirements mandated by the Act.
• Business and Industry shall initially need to work towards increasing intra-organization awareness and appoint a Data Protection Officer to ensure compliance with the upcoming legislation.
• Business and Industry to internally audit all existing contractual obligations to ensure compliance relating to protection of personal data.
• Businesses dealing in any manner with 'Sensitive Personal Data' to brace themselves for stricter compliance requirements.
• Business to monitor and inventorize every transaction involving sharing of personal data to comply with data principal requests.
Disclaimer – The views expressed in this article are the personal views of the authors and are purely informative in nature.